Add wireguard peers between boeing and routeur-ft/thot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2022-06-28 14:19:21 +02:00 · 2022-06-28 14:19:21 +02:00 · 80db7ec7aa
parent bac8ffdc72
commit 80db7ec7aa
7 changed files with 93 additions and 6 deletions
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@ -8,14 +8,31 @@ loc_wireguard:
    - name: "sputnik"
      listen_port: 51820
      private_key: "{{ vault.wireguard.boeing.privkey }}"
+      table: "off"
      peers:
        - public_key: "{{ vault.wireguard.sputnik.pubkey }}"
          allowed_ips:
            - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
            - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
          endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
-      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
-      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
+        - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          persistent_keepalive: 25
+        - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"

 loc_service_proxy:
  config:
--- a/host_vars/routeur-ft.adm.crans.org.yml
+++ b/host_vars/routeur-ft.adm.crans.org.yml
@ -3,6 +3,29 @@ interfaces:
  adm: ens18
  auto: ens19

+loc_wireguard:
+  tunnels:
+    - name: "wg0"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
+      table: "off"
+      peers:
+        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+
 loc_service_proxy:
  config:
    ldap:
--- a/host_vars/routeur-thot.adm.crans.org.yml
+++ b/host_vars/routeur-thot.adm.crans.org.yml
@ -3,6 +3,29 @@ interfaces:
  adm: ens18
  auto: ens19

+loc_wireguard:
+  tunnels:
+    - name: "wg0"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
+      table: "off"
+      peers:
+        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+
 loc_service_proxy:
  config:
    ldap:
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@ -22,7 +22,8 @@ loc_wireguard:
            - "{{ query('ldap', 'network', 'adm') }}"
            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
-      post_up: "/sbin/ip link set sputnik alias adm"
+      post_up:
+        - "/sbin/ip link set sputnik alias adm"

 loc_slapd:
  ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"
--- a/2
+++ b/2
@ -269,6 +269,8 @@ sputnik.adm.crans.org

 [wireguard]
 boeing.adm.crans.org
+routeur-ft.adm.crans.org
+#routeur-thot.adm.crans.org
 sputnik.adm.crans.org

 [crans_routeurs:children]
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -5,7 +5,6 @@
    name:
      - wireguard
      - resolvconf
-      - linux-headers-amd64
  register: apt_result
  retries: 3
  until: apt_result is succeeded
--- a/roles/wireguard/templates/wireguard/tunnel.conf.j2
+++ b/roles/wireguard/templates/wireguard/tunnel.conf.j2
@ -8,18 +8,40 @@ Address = {{ item.addresses | join(", ") }}
 ListenPort = {{ item.listen_port }}
 {% endif %}
 PrivateKey = {{ item.private_key }}
+{% if item.table is defined %}
+Table = {{ item.table }}
+{% endif %}

+{% if item.pre_up is defined %}
+{% for command in item.pre_up %}
+PreUp = {{ command }}
+{% endfor %}
+{% endif %}
 {% if item.post_up is defined %}
-PostUp = {{ item.post_up }}
+{% for command in item.post_up %}
+PostUp = {{ command }}
+{% endfor %}
+{% endif %}
+{% if item.pre_down is defined %}
+{% for command in item.pre_down %}
+PreDown = {{ command }}
+{% endfor %}
 {% endif %}
 {% if item.post_down is defined %}
-PostDown = {{ item.post_down }}
+{% for command in item.post_down %}
+PostDown = {{ command }}
+{% endfor %}
 {% endif %}

 {% for peer in item.peers %}
 [Peer]
 PublicKey = {{ peer.public_key }}
 AllowedIPs = {{ peer.allowed_ips | join(", ") }}
+{% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}

 {% endfor -%}